(!1639) xkb: fix length checking with bigreq
The authorative source of the request frame size is client->req_len, especially with big requests larger than 2^18 bytes. Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
This commit is contained in:
		
							parent
							
								
									a1ea8145e9
								
							
						
					
					
						commit
						2ef5751bf8
					
				
							
								
								
									
										18
									
								
								xkb/xkb.c
								
								
								
								
							
							
						
						
									
										18
									
								
								xkb/xkb.c
								
								
								
								
							|  | @ -255,7 +255,7 @@ ProcXkbSelectEvents(ClientPtr client) | ||||||
|         register unsigned bit, ndx, maskLeft, dataLeft, size; |         register unsigned bit, ndx, maskLeft, dataLeft, size; | ||||||
| 
 | 
 | ||||||
|         from.c8 = (CARD8 *) &stuff[1]; |         from.c8 = (CARD8 *) &stuff[1]; | ||||||
|         dataLeft = (stuff->length * 4) - SIZEOF(xkbSelectEventsReq); |         dataLeft = (client->req_len * 4) - sizeof(xkbSelectEventsReq); | ||||||
|         maskLeft = (stuff->affectWhich & (~XkbMapNotifyMask)); |         maskLeft = (stuff->affectWhich & (~XkbMapNotifyMask)); | ||||||
|         for (ndx = 0, bit = 1; (maskLeft != 0); ndx++, bit <<= 1) { |         for (ndx = 0, bit = 1; (maskLeft != 0); ndx++, bit <<= 1) { | ||||||
|             if ((bit & maskLeft) == 0) |             if ((bit & maskLeft) == 0) | ||||||
|  | @ -3372,7 +3372,7 @@ ProcXkbSetIndicatorMap(ClientPtr client) | ||||||
|         if (stuff->which & bit) |         if (stuff->which & bit) | ||||||
|             nIndicators++; |             nIndicators++; | ||||||
|     } |     } | ||||||
|     if (stuff->length != ((SIZEOF(xkbSetIndicatorMapReq) + |     if (client->req_len != ((sizeof(xkbSetIndicatorMapReq) + | ||||||
|                            (nIndicators * SIZEOF(xkbIndicatorMapWireDesc))) / |                            (nIndicators * SIZEOF(xkbIndicatorMapWireDesc))) / | ||||||
|                           4)) { |                           4)) { | ||||||
|         return BadLength; |         return BadLength; | ||||||
|  | @ -4276,8 +4276,8 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev, | ||||||
|             return BadAtom; |             return BadAtom; | ||||||
|         } |         } | ||||||
|     } |     } | ||||||
|     if ((tmp - ((CARD32 *) stuff)) != stuff->length) { |     if ((tmp - ((CARD32 *) stuff)) != client->req_len) { | ||||||
|         client->errorValue = stuff->length; |         client->errorValue = client->req_len; | ||||||
|         return BadLength; |         return BadLength; | ||||||
|     } |     } | ||||||
| 
 | 
 | ||||||
|  | @ -5872,11 +5872,11 @@ ProcXkbListComponents(ClientPtr client) | ||||||
|             return BadLength; |             return BadLength; | ||||||
|         size = *((uint8_t *)str); |         size = *((uint8_t *)str); | ||||||
|         len = (str + size + 1) - ((unsigned char *) stuff); |         len = (str + size + 1) - ((unsigned char *) stuff); | ||||||
|         if ((XkbPaddedSize(len) / 4) > stuff->length) |         if ((XkbPaddedSize(len) / 4) > client->req_len) | ||||||
|             return BadLength; |             return BadLength; | ||||||
|         str += (size + 1); |         str += (size + 1); | ||||||
|     } |     } | ||||||
|     if ((XkbPaddedSize(len) / 4) != stuff->length) |     if ((XkbPaddedSize(len) / 4) != client->req_len) | ||||||
|         return BadLength; |         return BadLength; | ||||||
|     rep = (xkbListComponentsReply) { |     rep = (xkbListComponentsReply) { | ||||||
|         .type = X_Reply, |         .type = X_Reply, | ||||||
|  | @ -5958,7 +5958,7 @@ ProcXkbGetKbdByName(ClientPtr client) | ||||||
|     names.geometry = GetComponentSpec(client, stuff, &str, TRUE, &status); |     names.geometry = GetComponentSpec(client, stuff, &str, TRUE, &status); | ||||||
|     if (status == Success) { |     if (status == Success) { | ||||||
|         len = str - ((unsigned char *) stuff); |         len = str - ((unsigned char *) stuff); | ||||||
|         if ((XkbPaddedSize(len) / 4) != stuff->length) |         if ((XkbPaddedSize(len) / 4) != client->req_len) | ||||||
|             status = BadLength; |             status = BadLength; | ||||||
|     } |     } | ||||||
| 
 | 
 | ||||||
|  | @ -6819,7 +6819,7 @@ _XkbSetDeviceInfoCheck(ClientPtr client, DeviceIntPtr dev, | ||||||
|         if (status != Success) |         if (status != Success) | ||||||
|             return status; |             return status; | ||||||
|     } |     } | ||||||
|     if (((wire - ((char *) stuff)) / 4) != stuff->length) |     if (((wire - ((char *) stuff)) / 4) != client->req_len) | ||||||
|         return BadLength; |         return BadLength; | ||||||
| 
 | 
 | ||||||
|     return Success; |     return Success; | ||||||
|  | @ -6974,7 +6974,7 @@ ProcXkbSetDebuggingFlags(ClientPtr client) | ||||||
|             ErrorF("[xkb] XkbDebug: Setting debug controls to 0x%lx\n", |             ErrorF("[xkb] XkbDebug: Setting debug controls to 0x%lx\n", | ||||||
|                    (long) newCtrls); |                    (long) newCtrls); | ||||||
|     } |     } | ||||||
|     extraLength = (stuff->length << 2) - sz_xkbSetDebuggingFlagsReq; |     extraLength = (client->req_len << 2) - sz_xkbSetDebuggingFlagsReq; | ||||||
|     if (stuff->msgLength > 0) { |     if (stuff->msgLength > 0) { | ||||||
|         char *msg; |         char *msg; | ||||||
| 
 | 
 | ||||||
|  |  | ||||||
		Loading…
	
		Reference in New Issue